Pseudorandom Black Swans: Cache Attacks on CTR DRBG Shaanan Cohney1, Andrew Kwong2, Shahar Paz3, Daniel Genkin2, Nadia Heninger4, Eyal Ronen5, Yuval Yarom6 1University of Pennsylvania, [email protected] 2University of Michigan, ankwong,genkin @umich.edu { } 3Tel Aviv University, [email protected] 4University of California, San Diego, [email protected] 5Tel Aviv University and COSIC (KU Leuven), [email protected] 6University of Adelaide and Data61, [email protected] Abstract—Modern cryptography requires the ability to se- The simplest theoretical PRG construction is an algorithm curely generate pseudorandom numbers. However, despite that expands a smaller seed into a longer output sequence decades of work on side-channel attacks, there is little discussion that is computationally indistinguishable from a true sequence of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating of random bits. However, the practical security demands for the side channel resistance of common PRG implementations. random number generation are somewhat more complex; in We find that hard-learned lessons about side channel leakage real systems, these pseudorandom number generator construc- from encryption primitives have not been applied to PRGs, at all tions are often multi-stage algorithms that collect inputs from levels of abstraction. At the design level, the NIST-recommended environmental entropy sources or hardware into an “entropy CTR DRBG design does not have forward security if an attacker pool”. The pool is then used to seed a PRG that generates is able to compromise the state via a side-channel attack. At the primitive level, popular implementations of CTR DRBG such cryptographically secure output. Real world PRGs must also as OpenSSL’s FIPS module and NetBSD’s kernel use leaky T- meet additional security guarantees, including recovery from table AES as their underlying block cipher, enabling cache side- state compromise. channel attacks. Finally, we find that many implementations A number of academic works and practical security failures make parameter choices that enable an attacker to fully exploit have illustrated the disastrous effects on real-world cryptogra- the side-channel attack in a realistic scenario and recover secret keys from TLS connections. phy from flawed random number generation implementations We empirically demonstrate our attack in two scenarios. In the or designs in the wild. These have ranged from unintentional first, we carry out an asynchronous cache attack that recovers flaws such as failure to properly seed PRGs [34, 45, 52, the private state from vulnerable CTR DRBG implementations 94], to designs prone to implementation mistakes [19], to a under realistic conditions to recover long-term authentication suspected intentional back door in the now “deprecated and keys when the attacker is a party in the TLS connection. In the second scenario, we show that an attacker can exploit disgraced” [62] Dual EC DRBG design, which appears to have the high temporal resolution provided by Intel SGX to carry been repurposed and exploited in the wild [17, 18]. out a blind attack to recover CTR DRBG’s state within three Since their introduction in the seminal works of [5, 64, 65], AES encryptions, without viewing output, and thus to decrypt microarchitectural attacks that exploit contention on internal passively collected TLS connections from the victim. components to leak information have been used to violate nearly every security guarantee offered by computer systems. I. INTRODUCTION Indeed, in recent years there have numerous examples of side- It is a truth universally acknowledged, that a securely channel attacks with diverse targets and vectors. These range implemented cryptographic primitive must be in want of a from attacks that extract cryptographic keys from keystroke cryptographically secure pseudorandom number generator [3]. timing [28, 92] via CPU caches, attacks that exploit tran- Modern cryptography relies on randomness to prevent an sient execution for breaking fundamental OS isolation guar- attacker from predicting secret values generated by parties in a antees [16, 46, 51, 81, 85], and even attacks that exploit cryptographic protocol. Indeed, random values are universally limitations in memory hardware to change or read the contents used to ensure security properties for nearly all cryptographic of stored data [14, 42, 44, 47, 48]. Side-channel resistance is data, including secret keys for confidentiality or integrity, among the key security properties demanded of implementa- secret keys for public-key encryption, key exchange, or signa- tions. tures, as well as for protocol nonces to prevent replay attacks. Much less is known, however, about the security of PRGs Thus, a cryptographically secure Pseudorandom Generator in the presence of side-channel leakage. While backtracking (PRG) is one of the fundamental primitives of modern cryp- resistance and prediction resistance are stated to be among the tography, both in theory and in practice. main security goals of the designs in NIST’s PRG recommen- dations (NIST SP 800-90A), the standard does not consider The FortiOSv5 network device operating system uses the • the impact of side channel attacks on these goals. Although same vulnerable CTR DRBG implementation as NetBSD. some initial evidence [97] already indicates the possibility mbedTLS-SGX, a port of the popular mbedTLS cryptogra- • of exploiting side-channel vulnerabilities in PRG seeding, a phy library to SGX [95]. systematic exploration of side channel leakage from PRG The nist rng library [39], which is a library for random • implementations has not been performed. Thus, in this paper number generation used by open source projects such as we set out to explore the following main question: libuntu (a C implementation of NTRUEncrypt), the XMHF hypervisor, as well as others. Are common PRG designs susceptible to microarchitectural side channel attacks? What are the security implications of CTR DRBG State Recovery. By adapting previous work such leakage and how can the attacker exploit it? on AES encryption [58] to the PRG setting, we extend the work of Woodage and Shumow [86] to show how an attacker A. Our Contribution who observes the cache access patterns of CTR DRBG-based Unfortunately, in this paper we give a positive answer to random number generation can recover the PRG’s state using the above questions. CTR DRBG is the most popular PRG about 2000 bytes of the PRG’s output. We then empirically design out of those recommended in NIST SP 800-90A, and demonstrate how a client that connects to a malicious TLS is supported by 68% of validated implementations in NIST’s sever can be coerced to provide enough PRG output that Cryptographic Module Validation Program (CMVP). On the an attacker can recover the PRG state used during the TLS first question, we show that CTR DRBG is vulnerable to state handshake by concurrently observing the PRG’s cache access compromise attacks because some popular implementations patterns. still use a non-side-channel-resistant implementation of the Extracting the Client’s TLS Authentication Keys. Next, underlying block cipher. On the second question, we show that we show that NetBSD’s kernel, OpenSSL’s FIPS module and several popular CTR DRBG implementations fail to properly FortiOS fail to reseed the PRG with a sufficient amount of reseed the PRG in many situations, enabling feasible attacks entropy. Thus, by using a moderate amount of brute forcing for against prediction resistance. Furthermore, we demonstrate the client entropy, the attacker can wind forward the client’s that Intel SGX allows a very strong blind state recovery attack PRG and recover the ECDSA nonce used by the client to in as few as three encryptions, without the attacker having authenticate herself to the malicious TLS server. Finally, using access to PRG output. We demonstrate end-to-end attacks on the recovered ECDSA nonce and the signature produced by the CTR DRBG implementations used by OpenSSL’s FIPS the client during the TLS handshake, the attacker can recover module, NetBSD, and FortiOS, allowing an attacker targeting the client’s long term authentication keys. With authentication TLS connections to recover session secrets and long-term key in hand, the attacker can impersonate the client in future ECDSA keys used for client authentication, and under SGX, TLS connections. to passively decrypt connections. State Recovery Without a Malicious TLS Server. The The Use of T-Table AES. T-table AES is a performance- above attack on TLS requires the victim client to connect oriented AES implementation that uses table lookups to com- to a malicious TLS server, allowing the attacker to ob- pute the state transitions between individual encryption rounds. serve sufficient output generated by the client’s CTR DRBG Unfortunately, because these lookups are key-dependent, T- implementation while simultaneously observing the client’s table AES has become the canonical example of cache side cache access patterns across many AES encryption operations. channel leakage [10, 58, 64]. Tackling this limitation, we perform a a novel differential While the use of T-table AES for encryption and decryption cryptanalysis attack exploiting side channel leakage from T- operations has been greatly reduced in light of the threat posed table based CTR DRBG running inside an SGX enclave. by side channels and the availability of AES-NI hardware, This attack leverages the fact that CTR DRBG encrypts an similar lessons do not seem to have been learned for the case incrementing counter. Our technique is capable of extracting of random number generation. Remarkably, even after more the PRG’s state from only three AES encryption operations, than a decade of attacks, [5, 13, 31, 57, 64] we show that without requiring the attacker to observe the PRG’s output. unprotected and leaky T-tables are still used for encrypting Thus, we eliminate the need for the TLS client to connect to the counter inside CTR DRBG by the following popular an attacker-controlled server.